Method and apparatus for settling payments using mobile devices

ABSTRACT

Techniques for mobile devices configured to support settlement of charges in electronic invoices or bills are described. A mobile device embedded with a secure element generates or is loaded with an electronic invoice. When the mobile device is brought to a consumer with an NFC mobile device, the data including the electronic invoice and other information regarding the mobile device or an owner thereof is read off wirelessly into the NFC mobile device. After the user verifies the amount being charged and authorizes the payment, the NFC mobile device communicates with a payment gateway or network for payment that is configured to proceed with the payment in accordance with a chosen payment methods.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is generally related to the area of electroniccommerce. Particularly, the present invention is related to a mobiledevice configured to settle payments using a mobile device readingelectronic bills or invoices off from another mobile device in a nearfield communication range.

2. The Background of Related Art

For many credit or debit card transactions, the payment process isstarted by a customer asking for a bill when checking out a purchase. Acashier or service member brings a bill to the customer forverification. The customer then hands out a credit/debit card to theservice staff member. The service member brings the card to a Point ofSales (POS) counter to initiate a transaction payment. The servicemember then brings back a receipt to the customer for signature toauthorize the transaction. It is a lengthy process that typically takesa couple of minutes or much longer when the service member has to takecare of multiple payment transactions at a time. In addition, in thecase for the debit card transactions, the process may be even moretroublesome when a PIN is needed to authorize the transaction at thePOS.

There is a need to simplify the payment process. With the advancement inmobile devices, it is anticipated that many consumers will carry onewith them. Thus there is an opportunity of using a mobile device toquickly settle the payment at a point of sale (POS).

SUMMARY OF THE INVENTION

This section is for the purpose of summarizing some aspects of thepresent invention and to briefly introduce some preferred embodiments.Simplifications or omissions may be made to avoid obscuring the purposeof the section. Such simplifications or omissions are not intended tolimit the scope of the present invention.

The present invention is related to techniques for mobile devicesconfigured to support settlement of charges in electronic invoices orbills. According to one aspect of the present invention, a mobile deviceembedded with a secure element generates or is loaded with an electronicinvoice. When the mobile device is brought to a consumer with an NFCmobile device, the data including the electronic invoice and otherinformation regarding the mobile device or an owner thereof is read offwirelessly into the NFC mobile device. After the user verifies theamount being charged and authorizes the payment, the NFC mobile devicecommunicates with a payment gateway or network for payment that isconfigured to proceed with the payment in accordance with a chosenpayment methods.

According to another aspect of the present invention, the mobile deviceis a contactless card or part of a point of sale (POS) machine used togenerate the electronic invoice. One embodiment of the present inventionprovides unanticipated benefits and advantages in an application inwhich a payment process would otherwise have to be involved in more thanone contacts between a merchant and the consumer. One of suchapplications is a payment process in a restaurant, where a consumer isgiven a check first for verification and a chance to add a gratitudebefore a final charge is determined and paid. Using the NFC mobiledevice, the consumer can finish the payment using a chosen paymentmethod at the point of sale without further contacting the merchant.

According to still another aspect of the present invention, a consumeruses his/her mobile device, per the data received therein, to settle thepayment process with a payment network, where the payment network may bean existing payment infrastructure (e.g., money transfer or creditcard/debit). A payment response is sent to the merchant once a paymentis delivered to a designed account by the merchant.

According to still another aspect of the present invention, the mobiledevice being used by the consumer is itself an electronic purse. Thusthe consumer operates his/her mobile device to settle the charge oncethe electronic invoice is received and displayed thereon.

According to still another aspect of the present invention, the mobiledevice used by the consumer is a near field communication (NFC) deviceand being part of a mobile payment ecosystem in which various partiesare work with each other in order for the mobile payment ecosystemsuccessful. Via a server (e.g., implemented as a manager) configured toprovide what is referred to herein as Trusted Service Management (TSM),the secure element in the mobile device can be remotely personalized andvarious applications or modules can be downloaded, updated, managed orreplaced after they are respectively provisioned via the Trusted ServiceManager (i.e., the TSM server). One of the modules being installed inthe POS machine or an NFC device used by the merchant is referred to asSmart Bill Payment. The module is configured to facilitate thecommunication between the merchant (its device) and the user (his/hermobile device) and the data exchange therebetween, where the mobiledevice being used by the user is installed with a correspondingapplication related to Smart Bill Payment.

One important features, advantages and benefits in the present inventionis to facilitate the settlement of charges using an NFC mobile device toread off data pertaining to an electronic invoice. The present inventionmay be implemented as a single device, a server, a system or a part ofsystem. It is believed that various implementations may lead to resultsthat may not be achieved conventionally.

According to one embodiment, the present invention is a method forsettling a payment, the method comprises: providing a software module tobe executed in a first mobile device embedded with a secure element,wherein the secure element has been personalized and the software moduleis provisioned with the personalized secure element, the first mobiledevice is configured to include data pertaining to an electronicinvoice; receiving a payment request from a second mobile device after auser of the second mobile device authorizes the payment to theelectronic invoice transported wirelessly from the first mobile device,wherein the second mobile device is a near-field communication deviceand is configured to execute an application that communicates with thesoftware module in the first mobile device to read the data off from thefirst mobile device; verifying the payment request; and sending apayment response to a user of the first mobile device after the paymentrequest is processed. In the embodiment, the second mobile deviceincludes a display screen and is caused to display the electronicinvoice when the data is in the second mobile device.

According to another embodiment, the present invention is a gatewayprovided for settling a payment, the gateway may include a server or acollection of servers. The gateway comprises a portal providing asoftware module to be downloaded and executed in a first mobile deviceembedded with a secure element, wherein the secure element has beenpersonalized and the software module is provisioned with thepersonalized secure element, the first mobile device is configured toinclude data pertaining to an electronic invoice. The gateway furthercomprises a server that includes: a processor and a store, coupled tothe processor, for code to be executed in the processor to cause theserver to perform operations of:

-   -   receiving a payment request from a second mobile device after a        user of the second mobile device authorizes the payment to the        electronic invoice transported wirelessly from the first mobile        device, wherein the second mobile device is a near-field        communication device and is configured to execute an application        that communicates with the software module in the first mobile        device to read the data off from the first mobile device;    -   verifying the payment request; and    -   sending a payment response to a user of the first mobile device        after the payment request is processed.

Other objects, features, and advantages of the present invention willbecome apparent upon examining the following detailed description of anembodiment thereof, taken in conjunction with the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be readily understood by the following detaileddescription in conjunction with the accompanying drawings, wherein likereference numerals designate like structural elements, and in which:

FIG. 1A shows a system configuration according to one embodiment of thepresent invention, where the payment network represents a collection ofservices or networks provided to settle payments via a financialinstitution;

FIG. 1B shows a flowchart or process of settling a payment according toone embodiment, where the process may be implemented in software or acombination of software and hardware;

FIG. 2A shows a mobile payment ecosystem in which related parties areshown in order for the mobile payment ecosystem successful;

FIG. 2B shows a flowchart or process of provisioning one or moreapplications according to one embodiment;

FIG. 2C shows a data flow illustrating various interactions amongdifferent parties when an application is being provisioned in oneembodiment;

FIG. 2D shows a data flow among different entities when preparing theapplication data in provisioning an application;

FIG. 2E shows a flowchart or process for locking or disabling aninstalled application;

FIG. 2F shows an exemplary architecture diagram of a portable deviceenabled as an e-purse conducting e-commerce and m-commerce, according toone embodiment of the present invention;

FIG. 3A is a block diagram of related modules interacting with eachother to achieve what is referred to herein as e-purse personalizationby an authorized personnel (a.k.a., personalizing a mobile device or asecure element therein while provisioning an application);

FIG. 3B shows a block diagram of related modules interacting with eachother to achieve what is referred to herein as e-purse personalizationby a user of the e-purse;

FIG. 3C shows a flowchart or process of personalizing an e-purseaccording to one embodiment of the present invention;

FIG. 4A and FIG. 4B show together a flowchart or process of financing,funding, load or top-up an e-purse according to one embodiment of thepresent invention;

FIG. 4C shows an exemplary block diagram of related blocks interactingwith each other to achieve the process FIG. 4A and FIG. 4B;

FIG. 5A is a diagram showing a first exemplary architecture of aportable device for enabling e-commerce and m-commerce functionalitiesover a cellular communications network (i.e., 3G, LTE or GPRS network),according an embodiment of the present invention;

FIG. 5B is a diagram showing a second exemplary architecture of aportable device for enabling e-commerce and m-commerce functionalitiesover a wired and/or wireless data network (e.g., Internet), accordinganother embodiment of the present invention;

FIG. 5C is a flowchart illustrating an exemplary process of enabling theportable device of FIG. 5A for services/applications provided by one ormore service providers in accordance with one embodiment of the presentinvention;

FIG. 6A is a diagram showing an exemplary architecture, in which aportable device is enabled as a mobile POS conducting e-commerce andm-commerce, according to one embodiment of the present invention;

FIG. 6B is a diagram showing an exemplary architecture, in which aportable device is enabled as a mobile POS conducting a transactionupload operation over a network, according to an embodiment of thepresent invention;

FIG. 6C is a flowchart illustrating an exemplary process of conductingm-commerce using the portable device enabled as a mobile POS with ane-token enabled device as a single functional card in accordance withone embodiment of the present invention;

FIG. 6D is a flowchart illustrating an exemplary process of conductingm-commerce using the portable device enabled as a mobile POS against aan e-token enabled device as a multi-functional card; and

FIG. 7 is a diagram depicting an exemplary configuration in which aportable device used for an e-ticking application.

DETAILED DESCRIPTION OF THE INVENTION

In the following description, numerous specific details are set forth toprovide a thorough understanding of the present invention. The presentinvention may be practiced without these specific details. Thedescription and representation herein are the means used by thoseexperienced or skilled in the art to effectively convey the substance oftheir work to others skilled in the art. In other instances, well-knownmethods, procedures, components, and circuitry have not been describedin detail since they are already well understood and to avoidunnecessarily obscuring aspects of the present invention.

Reference herein to “one embodiment” or “an embodiment” means that aparticular feature, structure, or characteristic described in connectionwith the embodiment can be included in at least one implementation ofthe invention. The appearances of the phrase “in one embodiment” or “inthe embodiment” in various places in the specification are notnecessarily all referring to the same embodiment, nor are separate oralternative embodiments mutually exclusive of other embodiments.Further, the order of blocks in process, flowcharts or functionaldiagrams representing one or more embodiments do not inherently indicateany particular order nor imply limitations in the invention. As used inthis specification and the appended claims, the singular forms “a,”“an,” and “the” include plural referents unless the context clearlydictates otherwise. It should also be noted that the term “or” isgenerally employed in its sense including “and/or” unless the contextclearly dictates otherwise.

Embodiments of the present invention are discussed herein with referenceto FIGS. 1A-7. However, those skilled in the art will readily appreciatethat the detailed description given herein with respect to these figuresis for explanatory purposes only as the invention extends beyond theselimited embodiments.

Near Field Communication (NFC) presents significant businessopportunities when used in mobile devices for applications such aspayment, transport ticketing, loyalty, physical access control, andother exciting new services. To support this fast evolving businessenvironment, various NFC-enabled mobile phones or devices are beingadvanced to support various uses in daily life.

FIG. 1A shows a system configuration 100 according to one embodiment ofthe present invention. A network 102 represents a collection of servicesor networks provided to settle payments by a financial institution. Inother words, it is a system providing services to electronicallytransfer money or settle payments. What makes it a system is that itemploys cash-substitutes as the traditional payments are negotiableinstruments such as drafts (e.g., checks) and documentary credits, suchas letter of credits. With the advent of computers and electroniccommunications, a large number of alternative electronic payment systemshave emerged. These include debit cards, credit cards, electronic fundstransfers, direct credits, direct debits, internet banking ande-commerce payment systems. Payment systems are used in lieu oftendering cash in domestic and international transactions and consist ofa major service provided by banks and other financial institutions.

The payment system or network 102 may be physical or electronic and hasits own procedures and protocols. An example of the payment system thathas become globally available is Visa or Master Card, a true globalcredit card and automated teller machine network. Both merchants andconsumers use the payment system to settle transactions.

According to one embodiment, a payment gateway 104 includes a server ora collection of servers configured to provide an application that may beinstalled in a mobile device for a user thereof to enjoy one of thebenefits in the present invention. The application named smart billpayment herein is published in the Internet and may be downloaded from adesignated place (e.g., a portal provided by a server). A user uses amobile device to download the application and install it in the mobiledevice. The application may be automatically or manually executed toauthorize a payment to a displayed electronic invoice, wherein theelectronic invoice is generated or produced from a data exchange withanother device via a secure element in the mobile device. Unlessotherwise explicitly indicated, the term of “mobile device”, “computingdevice”, “smart phone”, “portable device”, “handset” or the like will beinterchangeably used herein, but those skilled in the art willunderstand the description herein shall be equally applicable to otherdevices such as a wearable watch, a tablet, a laptop computer, and otherportable computing device with the capability of near fieldcommunication (NFC).

Referenced by 106 is a device at a point of sale (POS), herein a POSdevice. Depending on implementation, the POS device 106 may come as asingle device (e.g., an NFC device) or a stationary device with one ormore portable devices (e.g., contactless cards). One of the purposes forthe device 106 is to generate an electronic bill (or invoice) to beloaded to a portable device 108 (e.g., a contactless card or an NFCdevice) for contacting with an NFC device of a consumer for settlementof the invoice.

According to one embodiment, the POS device is a single device embeddedwith a secure element. The single device may be an NFC device that isused to enter information to generate an invoice. For example, acustomer has ordered several dishes in a restaurant, a casher enters theindividual charges for the dishes in the NFC device that generates abill showing the total including the sale tax and sometimes the tips.The casher or a waiter brings the NFC device to the customer forauthorization and payment. According to another embodiment, the POSdevice includes a stationary device corresponding to 106 of FIG. 1A andone or more contactless cards corresponding to 108 of FIG. 1A. Thestationary device is used by the casher to enter charging information togenerate an invoice. A contactless card is loaded with the electronicinvoice and brought to the customer for authorization and payment. Inthe following description, unless specifically stated, a POS devicemeans either one of the cases and will be described as if it is a singledevice. Given the detailed description herein, those skilled in the artcan fully appreciate what a POS device means when practicing oneembodiment of the present invention.

As will be further described below, the POS device is embedded with asecure element. It is the secure element that provides the security andconfidentiality required to support secure data communication betweentwo devices, and facilitates the communication between a mobile deviceand a server. In general, a secure element (SE) is a tamper-resistantplatform (e.g., a single-chip secure microcontroller) capable ofsecurely hosting applications and their confidential and cryptographicdata (e.g., key management) in accordance with the rules and securityrequirements set forth by a set of well-identified trusted authorities.The common form factors of SE include: Universal Integrated Circuit Card(UICC), embedded SE and microSD. Both the UICC and microSD areremovable. In one embodiment of the invention, a software module isconfigured to act as an SE and upgradable by overwriting some or all ofthe components therein. Regardless of the form factors, each form factorlinks to a different business implementation and satisfies a differentmarket need. For a secure element to be used, it has to be personalized.The details of personalizing a secure element may be found in co-pendingU.S. application Ser. No. 13/749,696 which is hereby incorporated byreference.

According to one embodiment, a software module (e.g., an applet),referred to herein as smart bill payment applet correspond to anapplication as described above, is loaded in the POS device andprovisioned with the secure element therein. The module may be publishedby a service provider operating the gateway or server 104 anddownloadable to an NFC device over a wireless or wired network. Oncedownloaded, the module must be provisioned with the service provider sothat secure data may be exchanged with the server 104. Co-pending U.S.application Ser. No. 13/749,696 describes the details of provisioning anapplication with a personalized secure element, which is herebyincorporated by reference.

FIG. 1B shows a flowchart or process 120 of settling a payment accordingto one embodiment of the present invention. The process 120 may beimplemented in software or a combination of software and hardware.Without any implied limitations, the process 120 may be betterunderstood in conjunction of FIG. 1A.

To facilitate the description of the process 120, it is assumed that acustomer has dinned in a restaurant, where the restaurant has installeda POS device that includes a stationary device for a casher tomanage/input various charging data to generate a bill for the customer.The POS device also includes a reader exchanging data with one or morecontactless cards. In other words, after the casher enters the necessaryinformation, an electronic bill is generated and loaded into acontactless card.

At the end of the dinning, a waiter lets a casher prepare a check (i.e.,a bill) on a POS machine corresponding to 106 of FIG. 1. The POS machinegenerates an electronic bill that is transported to a contactless cardat 122, where the contactless card is embedded with a personalizedsecure element. At 124, the waiter brings the contactless card to thecustomer. The customer uses his mobile device to read the contactlesscard at 126. As described above, the mobile device is assumed to havebeen installed with a corresponding smart bill application. Upondetecting the contactless card in the near field, the smart billapplication is executed and reads off data pertaining to the electronicbill from the contactless card at 128 and subsequently displays theelectronic bill on a screen of the mobile device for the consumer toverify. Unlike a traditional invoice commonly seen on a screen, theelectronic bill in the contactless card and being transferred from thecontactless card to the mobile device includes security information of aregistered user associated with the restaurant or the merchant. Thesecurity information includes, but may not be limited to, an account andbank information of the restaurant, the identifier of the secure elementin the contactless card or the POS device. In one embodiment, the dataalso includes an address or a link from which the merchant gets anotification (i.e., the payment response) when the charge is settled.Depending on the implementation, the notification may be sent to adesignated mobile device as a short message or an email message.

Upon seeing the displayed bill being displayed on a display screen, thecustomer may choose a method to settle the invoice. Depending onimplementation, the customer may choose to settle the charge with anelectronic wallet or purse (a.k.a., e-purse) already created in themobile device, cash, a traditional credit or debit card, an electronictransfer/payment or others. The settlement with e-purse will be furtherdetailed below.

FIG. 1B is provided to illustrate one embodiment of using the electronicpayment, a type of money transfer service provided by the paymentgateway 102 as shown in FIG. 1A. At 130, the customer has chosen theelectronic payment that is provided by the installed smart billapplication and enters how much to be paid against the bill. It shall benoted that the consumer may enter more than what is being charged in theinvoice as a tip to the service provided by the restaurant. Once thetotal amount is entered by the consumer, at 132, the application (i.e.,the mobile device) sends a payment request including the data pertainingto the electronic bill to the server 104 for processing. As furtherdescribed late herein, in one embodiment, the data exchange between themobile device and the gateway 102 is conducted in a secured channelestablished in accordance with the security information in the datapertaining to the electronic invoice.

Upon receiving the payment request, the server 104 is configured toverify if the amount entered by the consumer is sufficient to cover thecharge in the bill at 134. If the amount is less than what is beingcharged in the bill, for example, the consumer may enter a wrong numberor a typo in the number, the server 104 would return the payment requestto the mobile device. Upon receiving the rejection, the bill applicationin the mobile device displays the rejection to get attention from theconsumer so that an appropriate step may be taken to proceed with thepayment. If the amount is equal or more than what is being charged(e.g., the consumer desires to include a tip on top of the charge), theserver 104 proceeds with the payment request at 136.

As shown in FIG. 1B, the server 104 receives the payment requestauthorized by the consumer and proceeds with the payment request inconjunction with the payment network 102. In one embodiment, the server104 provides a payment service similar to Paypal commonly used in US andother countries or Alipay mainly used in China. Once the transaction iscomplete or denied, the server 104 sends a notice to the merchant (e.g.,the restaurant).

As indicated above, in one embodiment, the device 110 of FIG. 1A isconfigured to function as an electronic purse or e-purse that may beused to directly settle a charge being displayed on a display screenthereof. The following description details how the e-purse works in amobile payment ecosystem.

Referring now to FIG. 2A, it shows a mobile payment ecosystem 200 inwhich related parties are involved in order for the mobile paymentecosystem successful. According to one embodiment, an NFC device isallowed to install or download one or more applications from respectivedesignated servers 202 (i.e., application management providers), wherethe applications are originally developed by developers 204 anddistributed by service providers 210, application management providers202 or others. It is assumed that the secure element 206 provided by asecure element provider 208 has already been personalized via a TSM or atrusted third party (e.g., a financial institution 212).

Once an application (e.g., a Smart Bill Payment application in thedevice 110 or a Smart Bill Payment applet in the POS device 106 of FIG.1A) is installed in an NFC device, the next step is to provision theapplication with the secure element therein. An application provisioningprocess can be started in several ways. One of the ways is that an SEholder selects an application from a TSM portal on the mobile device andinitiates the provisioning process. Another one is that the SE holderreceives an application provisioning notification on the mobile devicefrom the TSM on behalf of an application (service) provider.

The TSM or application providers can publish their applications on a TSMportal to be downloaded to a mobile device with the SE and/or subscribedat a request of a user (a.k.a., an SE holder). In one embodiment, theTSM is a cloud service to serve many SE issuers. Thus, many applicationsfrom various service providers are available on the TSM portal. However,when getting onto the TSM portal, SE holders can only see thoseapplications approved by its own SE issuer. Depending on the arrangementbetween an SE and a service provider, an application can either bedownloaded/installed/personalized using the ISD keyset of the SE or aspecific SSD keyset of the service provider. If an SSD keyset has notbeen installed on the SE, it can be installed during an applicationinstallation.

The TSM is designed to know the memory state or status of an SE forvarious SSDs. Based on the state of the SE and the memory allocationpolicy of the SSDs, the available applications for the various SSD inthe application store may be marked with different indicators, forexample, “OK to install”, or “Insufficient memory to install”. This willprevent unnecessary failure for users.

Once an application is installed on an NFC device, the applicationinitiates a provisioning process by itself, or the TSM can push aprovisioning notification to the NFC device via a cellular network or awireless data network. Depending on the type of the devices, there aremany different types of push messages to cause the NFC device to initialthe provision process. An example of the push methods includes an SMSpush or an Android Google Push. Once a user accepts the notification,the provisioning process starts. The details of the provisioning processwill be described below whenever deemed appropriate.

As part of the application provisioning, a TSM server implements someprotective mechanism. One is to prevent an SE from being accidentallylocked. Another is to disable application download if there is nosufficient memory on SE. In some cases, an SE may permanently lockitself if there are too many failed mutual authentications during securechannel establishment. In order to prevent the SE from beingaccidentally locked, the TSM keeps the track of the number of failedauthentications between an SE and the TSM when establishing a securedchannel between the two entities. In one embodiment, the TSM isconfigured to reject any further request if a preset limit is reached.The TSM can continue to process the SE request if the SE is reset at theservice center manually.

The TSM also keeps track of the memory usage of each SE. The TSM decideswhether an application can be installed on an SE based on the memoryallocation assigned by the SE issuer to each service provider. Accordingone embodiment, there are three types of policies:

-   -   pre-assigned fixed memory to guarantee a space of fixed        capacity.    -   pre-assigned minimum memory to guarantee a space of a minimum        capacity (implying that the capacity may be expanded under some        conditions).    -   best efforts (e.g., a contractual provision which requires the        SE issuer to use its highest efforts to perform its obligations        and to maximize the benefits to be received by the user).

According to one embodiment, an SE issuer uses a TSM web portal to makethis assignment.

-   -   1. For a batch of SE, the SE issuer can pre-assign a memory        policy for a service provider to install its applications via        the TSM web portal;    -   2. The TSM server verifies whether the space of the respective        service provider conforms to its policy when a mobile device        requests to install one of its applications. If not conformed,        this request is rejected, otherwise, the TSM server will proceed        to handle the provisioning request;    -   3. If the provisioning succeeds, the TSM will accumulate the        memory size of this application service.

When a mobile user subscribes to a mobile application (assuming it hasbeen installed), the application has to be provisioned with the SE inthe mobile device before it can be used. According to one embodiment,the provisioning process includes four major stages:

-   -   to create an supplemental security domain (SSD) on the SE, if        needed;    -   to download and install an application cap on the SE;    -   to personalize the application on the SE; and    -   to download a UI component on mobile phone.

FIG. 2B shows a flowchart or process 220 of provisioning one or moreapplications according to one embodiment. The process 220 may beimplemented in software or a combination of software and hardware. Inone embodiment, the application provisioning process 220 needs to gothrough a provisioning manager (i.e., proxy) on the mobile phone tointeract with the SE therein.

As shown in FIG. 2B, at 222, the application provisioning process 220may be started manually or automatically. For example, a user mayinitiate the process 220 by selecting an installed application tosubscribe related services or the installed application, when activated,initiates the provisioning process, provided it has not beenprovisioned. In another embodiment, a provider of an application pushesa message (e.g., SMS) to the mobile phone to initiate the provisioningprocess.

As shown in FIG. 2B, at 222, the application provisioning process 220may be started manually or automatically. For example, a user mayinitiate the process 220 by selecting an installed application tosubscribe related services or the installed application, when activated,initiates the provisioning process, provided it has not beenprovisioned. In another embodiment, a provider of an application pushesa message (e.g., SMS) to the mobile phone to initiate the provisioningprocess.

In any case, the process 220 goes to 224 to establish a communicationwith a dedicated server (e.g., a TSM server or a server operated by anapplication distributor) after the device information (e.g., CPLC) isretrieved from the SE in the mobile device. The device information alongwith an identifier identifying the application is transmitted to theserver at 226. Based on the device information, the server identifiesthe issuer for the SE first at 228 to determine if the SE has beenpersonalized at 230. If the SE has not been personalized, the process220 goes to 232 to personalize the SE.

It is now assumed that the SE in the mobile device has beenpersonalized. The process 220 now goes to 234 to establish a securechannel with the SE using the derived ISD. Depending on who houses theHSM (TSM or SE issuer) for the ISD, the server will contact the HSM tocompute the derived ISD for the SE and establish a secure channel withthe SE using this derived ISD. The server is then configured to check tosee whether there is an SSD associated with this application at 236. Ifthere is not an SSD associated with the application, the server isconfigured to check a database to see whether it has been installed withthis SE. If the SSD installation is needed, then the process 220 goes toinstall the SSD. In one embodiment, the user is alerted of theinstallation of the SSD (keys). Should the user refuse to install theSSD at 238, the process 220 stops and goes to 222 to restart theprovisioning process 220.

It is now assumed that the process of installing the SSD proceeds at240. Installing the SSD is similar to installing the ISD. The TSM serveris configured to contact the HSM that houses the SSD master key tocompute the derived SSD key set for the SE. The master SSD key set canbe either in the TSM or with the service provider or the SE issuer,largely depending on how the arrangement is made with all partiesinvolved.

To download/install the application to the SE, the server is configuredto establish a secure channel with the SE using this derived SSD at 242.In one embodiment, this is similar to how the ISD-based secure channelis established. At 244, the data for the application is prepared, thedetail of which will be further discussed below. According to oneembodiment, the server is configured to contact the service provider toprepare asset of APDUs, such as STORE DATA APDUs, where ADPU stands forApplication Protocol Data Unit. Depending on an application installed ina mobile device, the server may be caused to repeatedly issue STORE DATAto personalize the application with the SE. Additional data including anappropriate interface (e.g., a user interface of the application per themobile device) may be downloaded provided that the provisioning processis successfully done. At 246, the server will notify the applicationprovider the status of the application that has been provisioned.According to one embodiment and the above description, FIG. 2C shows adata flow 250 illustrating various interactions among different partieswhen an application is being provisioned in one embodiment.

As shown in 244 of FIG. 2B, one of the important functions inprovisioning an application is to prepare customized application datafor the targeted SE. For example, for an e-purse application, thepersonalized data for the application includes various personalizedtransaction keys generated based on the device information (e.g., CPLCinfo) of the SE. For transit e-purse, part of the personalized dataincludes the Mifare access keys derived from an identifier (ID) of theMifare card, the server is configured to personalize both Java Cardapplications and Mifare4Mobile service objects. In general, there are atleast two different ways to prepare the data to facilitate subsequenttransactions.

For data preparation, one embodiment of the present invention supportstwo operation modes to interact with service providers for computing thepersonalized application data. For the first mode, a TSM server does nothave direct access to the HSM associated with a service provider. Theservice provider may have a server interacting with its HSM to generatethe application keys (e.g., Transit, e-purse, or Mifare Key). The TSMdata preparation implementation is to make use of application programinterfaces (API) or a protocol provided by the server to request forderived application keys. The second mode is that data preparationimplementation can directly access the HSM associated with the serviceprovider to generate the application keys.

According to one embodiment, FIG. 2D shows a data flow 255 amongdifferent entities when preparing the application data in provisioningan application. FIG. 2D is provided to show the first mode in which aTSM server does not have direct access to the HSM associated with aservice provide. The second mode has a similar flow except that theapplication data preparation implementation will interact directly withthe HSM of a service provider.

Besides supporting a provisioning process, one embodiment of the presentinvention also supports the life cycle management of an SE. The lifecycle management includes, but may not be limited to, SE lock, SEunlock, Application Delete (disabling). The initiation of theseactivities may be through a TSM push notification. In actual use ofmobile devices, FIG. 2E shows a flowchart or process 260 of locking aninstalled application. An NFC device may have been installed with anumber of applications in connection with or running on top of thesecured element therein. For some reason (e.g., no activity for aprolonged period or expiration), an application needs to be disabled orlocked by its distributor or provider.

FIG. 2E shows an operation or process 260 to disable an installedapplication. The process 260 is initiated at 262. In one embodiment, theprocess 260 is initiated by an operator manually via a TSM web portal.In another embodiment, the process 260 is automatically initiated by aservice provider internal workflow (e.g., using TSM web service API).Once the process 260 is initiated, a message is pushed to an NFC device(e.g., within a mobile device) in which an application is to bedisabled. Depending on application, such a message may come in differentforms. In one embodiment, the message is a PUSH command. In anotherembodiment, the message is a TCP/IP request delivered to the device viaa network. The message may be sent from a server (e.g., a TSM server) at264. Depending on implementation, such a message may include anidentifier identifying an application to be locked or disabled. Uponreceiving such a message, a card manager proxy on the device is causedto verify whether such a message is indeed from its original distributoror provider by returning a message at 266. According to one embodiment,the message is sent to the TSM server for verification. If theverification fails, namely there is no acknowledgement to such aninquiry, the process 260 is abandoned.

It is now assumed that the verification is successful, namely theinquiry from the device to a provider of the application returns anacknowledgement that the original request is authenticated. In general,such an acknowledgement includes an identifier confirming theapplication to be locked at 268. The TSM server is configured toestablish a secure channel with the SE as described previously. Then,the TSM server is to prepare appropriate APDUs (such as SET STATUS,or/and DELETE) for the SE for execution via the card manager proxy.

In any case, in responding to the command, the SE proceeds by lockingthe application at 272. According to one embodiment, the SE is caused todisassociate with the application, thus making the installed applicationno longer usable with the SE. At 274, the SE is configured to send outan acknowledgement to notify related parties that this application is nolonger operating in the device. In one embodiment, the acknowledgementis sent over to the TSM server where there is a database recording whatapplications have been installed in what device, and a correspondingstatus of each. The database is updated with the acknowledgement fromthe SE.

FIG. 2E shows a flowchart or process for disabling or locking aninstalled application. It is known to those skilled in the art thatother operations, such as unlocking or enabling an installedapplication, extending expiration of an installed application, aresimilar to the one shown in FIG. 2E, and thus the flowcharts thereof arenot provided herein.

Referring now to FIG. 2F, there shows an exemplary architecture diagram280 of a portable device enabled as an electronic wallet or e-purse tofacilitate e-commerce and m-commerce, according to one embodiment of thepresent invention. The diagram 280 includes a cell phone 282 embeddedwith a smart card module. An example of such a cell phone is a nearfield communication (NFC) enabled cellphone that includes a Smart MX(SMX) module. Not separately shown, there is an SE that has alreadypersonalized according to the process discussed above. An application toenable the device as e-purse has also been installed. Unless explicitlystated, the following description will not call out which part isperforming the function of a secure element and which part is performingas an application. Those skilled in the art shall appreciate the properparts or functions being performed given the detailed descriptionherein.

The SMX is pre-loaded with a Mifare emulator 288 (which is a singlefunctional card) for storing values. The portable phone is equipped witha contactless interface (e.g., ISO 14443 RFID) that allows the portablephone to act as a tag. In one embodiment, the SMX is a JavaCard that canrun Java applets. The e-purse application is configured to be able toaccess the Mifare data structures with appropriate transformed passwordsbased on the access keys created when the SE is personalized.

In the portable phone 282, an e-purse manager MIDlet 204 is provided.For m-commerce, the MIDlet 284 acts as an agent to facilitatecommunications between an e-purse applet 286 and one or more paymentnetwork and servers 290 to conduct transactions therebetween. As usedherein, a MIDlet is a software component suitable for being executed ona portable device. The e-purse manager MIDlet 284 is implemented as a“MIDlet” on a Java cell phone, or an “executable application” on a PDAdevice. One of the functions of the e-purse manager MIDlet 284 is toconnect to a wireless network and communicate with an e-purse appletwhich can reside on either the same device or an external smart card. Inaddition, it is configured to provide administrative functions such aschanging a PIN, viewing an e-purse balance and a transaction historylog. In one application in which a card issuer provides a SAM 292 thatis used to enable and authenticate any transactions between a card and acorresponding server (also referred to as a payment server). As shown inFIG. 2F, APDU commands are constructed by the servers 290 having accessto a SAM 292, where the APDU is a communication unit between a readerand a card. The structure of an APDU is defined by the ISO 7816standards in one embodiment. Typically, an APDU command is embedded innetwork messages and delivered to the server 290 or the e-purse applet286 for processing.

For e-commerce, a web agent 294 on a computer (not shown) is responsiblefor interacting with a contactless reader (e.g., an ISO 14443 RFIDreader) and the network server 290. In operation, the agent 294 sendsthe APDU commands or receives responses thereto through the contactlessreader 296 to/from the e-purse applet 286 residing in the cell phone282. On the other hand, the agent 294 composes network requests (such asHTTP) and receives responses thereto from the payment server 280.

To personalize or provision the portable phone 282, FIG. 3A shows ablock diagram 300 of related modules interacting with each other toachieve what is referred to herein as e-purse personalization (orprovisioning) by an authorized person. FIG. 3B shows a block diagram 320of related modules interacting with each other to achieve what isreferred to herein as e-purse personalization by a user of the e-purseas shown in FIG. 2F.

FIG. 3C shows a flowchart or process 350 of personalizing an e-purseapplet according to one embodiment of the present invention. FIG. 3C issuggested to be understood in conjunction with FIG. 3A and FIG. 3B. Theprocess 350 may be implemented in software, hardware or a combination ofboth.

As described above, an e-purse manager is built on top of thealready-personalized SE to provide a security mechanism necessary topersonalize the e-purse applet designed therefor. In operation, asecurity domain is used for establishing a secured channel between apersonalization application server and the e-purse applet. According toone embodiment, the essential data to be personalized into the e-purseapplet include one or more operation keys (e.g., a load or top-up keyand a purchase key), default PINs, administration keys (e.g., an unblockPIN key and a reload PIN key), and passwords (e.g., from Mifare).

It is assumed that a user desires to personalize an e-purse appletembedded in a portable device (e.g., a cell phone). At 352 of FIG. 3C, apersonalization process is initiated. Depending on implementation, thepersonalization process may be implemented in a module in the portabledevice and activated manually or automatically, or a physical processinitiated by an authorized person (typically associated with a cardissuer). As shown in FIG. 3A, an authorized personal initiates apersonalization process 304 to personalize the e-purse applet for a userthereof via an existing new e-purse SAM 306 and an existing SAM 308 withthe contactless reader 310 as the interface. The card manager 311performs at least two functions: 1) establishing a security channel, viaa security domain, to install and personalize an external application(e.g., e-purse applet) in the card personalization; and 2) creatingsecurity means (e.g., PINs) to protect the application during subsequentoperations. As a result of the personalization process using thepersonalization application server 304, the e-purse applet 312 and theemulator 314 are personalized.

Similarly, as shown in FIG. 3B, a user of an e-purse desires to initiatea personalization process to personalize the e-purse applet wirelessly(e.g., via the m-commerce path of FIG. 2). Different from FIG. 3A, FIG.3B allows the personalization process to be activated manually orautomatically. For example, there is a mechanism on a cell phone that,if pressed, activates the personalization process. Alternatively, astatus of “non-personalized” may prompt to the user to start thepersonalization process. As described above, a MIDlet 322 (i.e., aprovisioning manager or a service manager) in a portable device acts asan agent to facilitate the communication between a payment server 324and the e-purse applet 312 as well as the emulator 314, wherein thepayment server 324 has the access to the existing new e-purse SAM 306and an existing SAM 308. As a result of the personalization process, thee-purse applet 312 and the emulator 314 are personalized.

Referring now back to FIG. 3C, after the personalization process isstarted, in view of FIG. 3A, the contactless reader 310 is activated toread the tag ID (i.e., RFID tag ID) and essential data from a smart cardin the device at 354. With an application security domain (e.g., adefault security setting by a card issuer), a security channel is thenestablished at 356 between a new e-purse SAM (e.g., the SAM 306 of FIG.3A) and an e-purse applet (e.g., the e-purse applet 312 of FIG. 3A) inthe portable device.

Each application security domain key set includes at least three (3) DESkeys. For example:

Key1: 255/1/DES-ECB/404142434445464748494a4b4c4d4e4f

Key2: 255/2/DES-ECB/404142434445464748494a4b4c4d4e4f

Key3: 255/3/DES-ECB/404142434445464748494a4b4c4d4e4f

A security domain is used to generate session keys for a secured sessionbetween two entities, such as the card manager applet and a hostapplication, in which case the host application may be either a desktoppersonalization application or a networked personalization serviceprovided by a backend server.

A default application domain can be installed by a card issuer andassigned to various application/service providers. The respectiveapplication owner can change the value of the key sets before thepersonalization process (or at the initial of the process). Then theapplication can use the new set to create a security channel forperforming the personalization process.

With the security channel is established using the applicationprovider's application security domain, the first set of data can bepersonalized to the e-purse applet. The second set of data can also bepersonalized with the same channel, too. However, if the data are inseparate SAM, then a new security channel with the same key set (ordifferent key sets) can be used to personalize the second set of data.

Via the new e-purse SAM 306, a set of e-purse operation keys and PINsare generated for data transactions between the new e-purse SAM and thee-purse applet to essentially personalize the e-purse applet at 358.

A second security channel is then established at 360 between an existingSAM (e.g., the SAM 308 of FIG. 3A) and the e-purse applet (e.g., thee-purse applet 312 of FIG. 3A) in the portable device. At 362, a set oftransformed keys is generated using the existing SAM and the tag ID. Thegenerated keys are stored in the emulator for subsequent data accessauthentication. At 358, a set of MF passwords is generated using theexisting SAM and the tag ID, then is stored into the e-purse applet forfuture data access authentication. After it is done, the e-purseincluding the e-purse applet and the corresponding emulator is set to astate of “personalized”.

FIG. 4A and FIG. 4B show together a flowchart or process 400 offinancing or funding an e-purse according to one embodiment of thepresent invention. The process 400 is conducted via the m-commerce pathof FIG. 2. To better understand the process 400, FIG. 4C shows anexemplary block diagram 450 of related blocks interacting with eachother to achieve the process 400. Depending on an actual application ofthe present invention, the process 400 may be implemented in software,hardware or a combination of both.

A user is assumed to have obtained a portable device (e.g., a cellphone) that is configured to include an e-purse. The user desires tofund the e-purse from an account associated with a bank. At 402, theuser enters a set of personal identification numbers (PIN). Assuming thePIN is valid, an e-purse manger in the portable device is activated andinitiates a request (also referred to an over-the-air (OTA) top-uprequest) at 404. The MIDlet in the portable device sends a request tothe e-purse applet at 406, which is illustrated in FIG. 4C where thee-purse manager MIDlet 434 communicates with the e-purse applet 436.

At 408, the e-purse applet composes a response in responding to therequest from the MIDlet. Upon receiving the response, the MIDlet sendsthe response to a payment network and server over a cellularcommunications network. As shown in FIG. 4C, the e-purse manager MIDlet434 communicates with the e-purse applet 436 for a response that is thensent to the payment network and server 440. At 410, the process 400needs to verify the validity of the response. If the response cannot beverified, the process 400 stops. If the response can be verified, theprocess 400 moves to 412 where a corresponding account at a bank isverified. If the account does exist, a fund transfer request isinitiated. At 414, the bank receives the request and responds to therequest by returning a response. In general, the messages exchangedbetween the payment network and server and the bank are compliant with anetwork protocol (e.g., HTTP for the Internet).

At 416, the response from the bank is transported to the payment networkand server. The MIDlet strips and extracts the APDU commands from theresponse and forwards the commands to the e-purse applet at 418. Thee-purse applet verifies the commands at 420 and, provided they areauthorized, sends the commands to the emulator at 420 and, meanwhileupdating a transaction log. At 422, a ticket is generated to formulate aresponse (e.g., in APDU format) for the payment server. As a result, thepayment server is updated with a successful status message for theMIDlet, where the APDU response is retained for subsequent verificationat 424.

As shown in FIG. 4C, the payment network and server 440 receives aresponse from the e-purse manager MIDlet 434 and verifies that theresponse is from an authorized e-purse applet 436 originally issuedtherefrom with a SAM 444. After the response is verified, the paymentnetwork and server 440 sends a request to the financing bank 442 withwhich the user 432 is assumed to maintain an account. The bank willverify the request, authorize the request, and return an authorizationnumber in some pre-arranged message format. Upon receiving the responsefrom the bank 442, the payment server 440 will either reject the requestor accept the request by forming a network response sent to the MIDlet434.

The e-purse manager 434 verifies the authenticity (e.g., in APDU format)and sends commands to the emulator 438 and updates the transaction logs.By now, the e-purse applet 436 finishes the necessary steps and returnsa response to the MIDlet 434 that forwards an (APDU) response in anetwork request to the payment server 440.

Although the process 400 is described as funding the e-purse. Thoseskilled in the art can appreciate that the process of making purchasingover a network with the e-purse is substantially similar to the process400, accordingly no separate discussion on the process of makingpurchasing is provided.

Referring to FIG. 5A, there is shown a first exemplary architecture 500of enabling a portable device 530 for e-commerce and m-commerce over acellular communications network 520 (e.g., a GPRS network) in accordancewith one embodiment of the present invention. The portable device 530comprises a baseband 524 and a secured element 529 (e.g., a smart card).One example of such portable device is a Near Field Communication (NFC)enabled portable device (e.g., a cell mobile phone or a PDA). Thebaseband 524 provides an electronic platform or environment (e.g., aJava Micro Edition (JME), or Mobile Information Device Profile (MIDP)),on which an application MIDlet 523 and a service manager 522 can beexecuted or run. The secured element 529 contains a global platform (GP)card manager 526, an emulator 528 and other components such as PINmanager (not shown), wherein the global platform is an independent,not-for-profit organization concerned with a standardized infrastructurefor development, deployment and management of smart cards.

To enable the portable device 530 to conduct e-commerce and m-commerce,one or more services/applications need to be pre-installed andpre-configured thereon. An instance of a service manager 522 (e.g., aMIDlet with GUI) needs to be activated. In one embodiment, the servicemanager 522 is downloaded and installed. In another embodiment, theservice manager 522 is preloaded. In any case, once the service manager522 is activated, a list of directories for various services is shown.The items in the list may be related to the subscription by a user, andmay also include items in promotion independent of the subscription bythe user. The directory list may be received from a directory repository502 of a directory server 512. The directory server 512 acts as acentral hub (i.e., yellow page functions) for different serviceproviders (e.g., an installation server, a personalization server) thatmay choose to offer products and/or services to subscribers. The yellowpage functions of the directory server 512 may include service planinformation (e.g., service charge, start date, end date, etc.),installation, personalization and/or MIDlet download locations (e.g.,Internet addresses). The installation and personalization may beprovided by two different business entities. For example, theinstallation is provided by an issuer of a secured element 529, whilethe personalization may be provided by a service provider who holdsapplication transaction keys for a particular application.

According to one embodiment, the service manager 522 is configured toconnect to one or more servers 514 (e.g., a TSM server) from a serviceprovider(s) over the cellular communications network 520. It is assumedthat the user has chosen one of the applications from the displayeddirectory. A secured channel 518 is established between the one or moreservers 514 and the GP manager 526 to install/download an applicationapplet 527 selected by the user and then to personalize the applicationapplet 527 and optionally emulator 528, and finally to download anapplication MIDlet 523. The applet repository 504 and MIDlet repository506 are the sources of generic application applets and applicationMIDlets, respectively. GP SAM 516 and application SAM 517 are used forcreating the secured channel 518 for the personalization operations.

FIG. 5B is a diagram showing a second exemplary architecture 540 ofenabling a portable device 530 for e-commerce and m-commerce over apublic network 521, according to another embodiment of the presentinvention. Most of the components of the second architecture 540 aresubstantially similar to those of the first architecture 500 of FIG. 5A.While the first architecture 500 is based on operations over a cellularcommunications network 520, the public network 521 (e.g., Internet) isused in the second architecture 540. The public network 521 may includea local area network (LAN), a wide area network (WAN), a Wi-Fi (IEEE802.11) wireless link, a Wi-Max (IEEE 802.16) wireless link, etc. Inorder to conduct service operations over the public network 521, aninstance of the service manager 532 (i.e., same or similar functionalityof the service manager MIDlet 522) is installed on a computer 538, whichis coupled to the public network 521. The computer 538 may be a desktoppersonal computer (PC), a laptop PC, or other computing devices that canexecute the instance of the service manager 532 and be connected to thepublic network 521. The connection between the computer 538 and theportable device 530 is through a contactless reader 534. The servicemanager 532 acts as an agent to facilitate the installation andpersonalization between one or more servers 514 of a service providerand a GP card manager 526 via a secured channel 519.

FIG. 5C is a flowchart illustrating a process 550 of enabling a portabledevice for e-commerce and m-commerce functionalities in accordance withone embodiment of the present invention. The process 550 may beimplemented in software, hardware or a combination of both depending onimplementation. To better understand the process 500, previous figuresespecially FIG. 5A and FIG. 5B are referred to in the followingdescription.

Before the process 550 starts, an instance of a service manager 522 or532 has been downloaded or pre-installed on either the portable device530 or a computer 538. At 552, the service manager is activated andsends a service request to the server 514 at a service provider. Nextafter the authentication of a user and the portable device has beenverified, at 554, the process 550 provides a directory list ofservices/applications based on subscription of the user of the portabledevice 530. For example, the list may contain a mobile POS application,an e-purse application, an e-ticketing application, and othercommercially offered services. Then one of the services/applications ischosen from the directory list. For example, an e-purse or a mobile-POSmay be chosen to configure the portable device 530. Responding to theuser selection, the process 550 downloads and installs the selectedservices/applications at 556. For example, e-purse applet (i.e.,application applet 527) is downloaded from the applet repository 504 andinstalled onto a secured element 529. The path for downloading orinstallation may be either via a secured channel 518 or 519. At 558, theprocess 550 personalizes the downloaded application applet and theemulator 528 if needed. Some of the downloaded application applets donot need to be personalized and some do. In one embodiment, a mobile POSapplication applet (“POS SAM”) needs to be personalized, and thefollowing information or data array has to be provided:

-   -   a unique SAM ID based on the unique identifier of the underlying        secured element;    -   a set of debit master keys;    -   a transformed message encryption key;    -   a transformed message authentication key;    -   a maximum length of remark for each offline transaction;    -   a transformed batch transaction key; and    -   a GP PIN.

In another embodiment, personalization of an e-purse applet for a singlefunctional card not only needs to configure specific data (i.e., PINs,transformed keys, start date, end date, etc.) onto the e-purse, but alsoneeds to configure the emulator to be operable in an open system.Finally, at 560, the process 550 downloads and optionally launches theapplication MIDlet 523. Some of the personalized data from theapplication applet may be accessed and displayed or provided from theuser. The process 550 ends when all of the components ofservices/applications have been installed, personalized and downloaded.

According to one embodiment, an exemplary process of enabling a portabledevice 530 as a mobile POS is listed as follows:

-   -   connecting to an installation server (i.e., one of the service        provider server 514) to request the server to establish a first        security channel (e.g., the secured channel 518) from an issuer        domain (i.e., applet repository 504) to the GP card manager 526        residing in a secured element 529;    -   receiving one or more network messages including APDU requests        that envelop a POS SAM applet (e.g., a Java Cap file from the        applet repository 504);    -   extracting the APDU requests from the received network messages;    -   sending the extracted APDU requests to the GP card manager 526        in a correct order for installation of the POS SAM (i.e.,        application applet 527) onto the secured element 529;    -   connecting to a personalization server (i.e., one of the service        provider servers 514) for a second security channel (may or may        not be the secured channel 518 depending on the server and/or        the path) between the personalization server and the newly        downloaded applet (i.e., POS SAM);    -   receiving one or more network messages for one or more separated        ‘STORE DATA APDU’; and    -   extracting and sending the ‘STORE DATA APDU’ to personalize POS        SAM; and    -   downloading and launching POS manager (i.e., application MIDlet        523).

Referring to FIG. 6A, there is shown an exemplary architecture 600, inwhich a portable device 630 is enabled as a mobile POS to conducte-commerce and m-commerce, according to one embodiment of the presentinvention. The portable device 630 comprises a baseband 624 and asecured element 629. A POS manager 623 is downloaded and installed inthe baseband 623 and a POS SAM 628 is installed and personalized in thesecured element 629 to enable the portable device 630 to act as a mobilePOS. Then a real time transaction 639 can be conducted between themobile POS enabled portable device 630 and an e-token enabled device 636(e.g., a single functional card or a portable device enabled with ane-purse). The e-token may represent e-money, e-coupon, e-ticket,e-voucher or any other forms of payment tokens in a device.

The real time transaction 639 can be conducted offline (i.e., withoutthe portable device connecting to a backend POS transaction server 613).However, the portable device 630 may connect to the backend POStransaction servers 613 over the cellular network 520 in certaininstances, for example, the amount of the transaction is over apre-defined threshold or limit, the e-token enabled device 636 needs atop-up or virtual top-up, transactional upload (single or in batch).

Records of accumulated offline transactions need to be uploaded to thebackend POS transaction server 613 for settlement. The upload operationsare conducted with the portable device 630 connecting to the POStransaction server 613 via a secured channel 618. Similar to theinstallation and personalization procedures, the upload operations canbe conducted in two different routes: the cellular communicationsnetwork 520; or the public network 521. The first route has beendescribed and illustrated in FIG. 6A.

The second route is illustrated in FIG. 6B showing an exemplaryarchitecture 640, in which a portable device 630 is enabled as a mobilePOS conducting a transaction upload in batch operation over a publicnetwork 521, according to an embodiment of the present invention.Records of offline transactions in the mobile POS are generally kept andaccumulated in a transaction log in the POS SAM 628. The transaction logare read by a contactless reader 634 into a POS agent 633 installed on acomputer 638. The POS agent 633 then connects to a POS transactionserver 613 over the public network 521 via a secured channel 619. Eachof the upload operations is marked as a different batch, which includesone or more transaction records. Data communication between the POS SAM628, the contactless reader 634 and the POS agent 632 in APDU containingthe transaction records. Network messages that envelop the APDU (e.g.,HTTP) are used between the POS agent 632 and the POS transaction server613.

In one embodiment, an exemplary batch upload process from the POSmanager 623 or the POS agent 633 includes:

-   -   sending a request to the POS SAM 628 to initiate a batch upload        operation;    -   retrieving accumulated transaction records in form of APDU        commands from a marked “batch” or “group” in the POS SAM 628        when the POS SAM 628 accepts the batch upload request;    -   forming one or more network messages containing the retrieved        APDU commands; sending the one or more network messages to the        POS transaction server 613 via a secured channel 619;    -   receiving a acknowledgement signature from the POS transaction        server 613;    -   forwarding the acknowledgement signature in form APDU to the POS        SAM 628 for verification and then deletion of the confirmed        uploaded transaction records; and    -   repeating the step b) to step f) if there are additional        un-uploaded transaction records still in the same “batch” or        “group”.

Referring to FIG. 6C, there is shown a flowchart illustrating a process650 of conducting m-commerce using the portable device 630 enabled toact as a mobile POS with an e-token enabled device 636 as a singlefunctional card in accordance with one embodiment of the presentinvention. The process 650, which is preferably understood inconjunction with the previous figures especially FIG. 6A and FIG. 6B,may be implemented in software, hardware or a combination of both.

The process 650 (e.g., a process performed by the POS manager 623 ofFIG. 6A) starts when a holder of an e-token enabled device (e.g., aMifare card or an e-purse enabled cell phone emulating single functionalcard) desires to make a purchase or order a service with the mobile POS(i.e., the portable device 630). At 652, the portable device 630retrieving an e-token (e.g., tag ID of Mifare card) by reading thee-token enabled device. Next, the process 650 verifies whether theretrieved e-token is valid at 654. If the e-token enabled device 636 ofFIG. 6A is a single functional card (e.g., Mifare), the verificationprocedure performed by the POS manager 623 includes: i) reading the cardidentity (ID) of the card stored on an area that is unprotected orprotected by a well-known key; ii) sending an APDU request containingthe card ID to the POS SAM 628; iii) and receiving one or moretransformed keys (e.g., for transaction counter, an issuer data, etc.)generated by the POS SAM 628. If the one or more received transformedkeys are not valid, that is, the retrieved e-token being not valid, thenthe process 650 ends. Otherwise, the process 650 following the “yes”branch to 656, in which it is determined whether there is enough balancein the retrieved e-token to cover the cost of the current transaction.If the result is “no” at 656, the process 650 may optionally offer theholder to top-up (i.e., load, fund, finance) the e-token at 657. If“no”, the process 650 ends. Otherwise if the holder agrees to a realtime top-up of the e-token enabled device, the process 650 performseither a top-up or a virtual top-up operation at 658. Then the process650 goes back to 656. Whereas there is enough balance in the e-token,the process 650 deducts or debits the purchase amount from the e-tokenof the e-token enabled device 636 at 660. In the single functional cardcase, the one or more transformed keys are used to authorize thededuction. Finally at 662, records of one or more offline transactionsaccumulated in the POS SAM 628 are uploaded to the POS transactionserver 613 for settlement. The upload operations may be conducted foreach transaction or in batch over either the cellular communicationsnetwork 520 or the public domain network 521.

The top-up operations have been described and shown in the process 400of FIG. 4A. A virtual top-up operation is a special operation of thetop-up operation and typically is used to credit an e-token by a sponsoror donor. To enable a virtual top-up operation, the sponsor needs to setup an account that ties to an e-token enabled device (e.g., a singlefunctional card, a multi-functional card, an e-token enable cell phone,etc.). For example, an online account is offered by a commercial entity(e.g., business, bank, etc.). Once the sponsor has funded the e-token tothe online account, the holder of the e-token enabled device is able toreceive an e-token from the online account when connecting to the mobilePOS. Various security measures are implemented to ensure the virtualtop-up operation is secure and reliable. One exemplary usage of thevirtual top-up is that a parent (i.e., a sponsor) can fund an e-tokenvia an online account, which is linked to a cell phone (i.e., an e-tokenenabled device) of a child (i.e., the holder), such that the child mayreceive the funded e-token while the child makes a purchase at a mobilePOS. In addition to various e-commerce and m-commerce functionalitiesdescribed herein, the POS manager 623 is configured to provide variousquery operations, for example, a) checking the un-batched (i.e., notuploaded) balance accumulated in the POS SAM, b) listing the un-batchedtransaction log in the POS SAM, c) viewing details of a particulartransaction stored in the POS SAM, d) checking the current balance of ane-token enabled device, e) listing a transaction log of the e-tokenenabled device, and f) viewing details of a particular transaction ofthe e-token enabled device.

Referring to FIG. 6D, there is shown a flowchart illustrating anexemplary process 670 of conducting m-commerce using the portable device630 enabled to act as a mobile POS with an e-token enabled device 636 asa multi-functional card in accordance with one embodiment of the presentinvention. The process 670, which is preferably understood inconjunction with the previous figures especially FIG. 6A and FIG. 6B,may be implemented in software, hardware or a combination of both.

The process 670 (e.g., a process performed by the POS manager 623 ofFIG. 6A) starts when a holder of an e-token enabled device 636 (e.g., amulti-functional card or an e-purse enabled cell phone emulating amulti-functional card) desires to make a purchase or order a servicewith the mobile POS (i.e., the portable device 630). At 672, the process670 sends an initial purchase request to the e-token enabled device 636.The purchase amount is sent along with the initial request (e.g., APDUcommands). Next the process 670 moves to decision 674. When there is notenough balance in the e-token enabled device 636. The initial purchaserequest will be turned down as a return message received at the POSmanager 623. As a result, the process 670 ends with the purchase requestbeing denied. If there is enough balance in the e-token enabled device636, the result of the decision 674 is “yes” and the process 670 followsthe “yes” branch to 676. The received response (e.g., APDU commands)from the e-token enabled device 636 is forwarded to the POS SAM 628. Theresponse comprises information such as the version of the e-token keyand a random number to be used for establishing a secured channelbetween the applet (e.g., e-purse applet) resided on the e-token enableddevice 636 and the POS SAM 628 installed on the portable device 630.Then, at 678, the process 670 receives a debit request (e.g., APDUcommands) generated by the POS SAM 628 in response to the forwardedresponse (i.e., the response at 676). The debit request contains aMessage Authentication Code (MAC) for the applet (i.e., e-purse applet)to verify the upcoming debit operation, which is performed in responseto the debit request sent at 680. The process 670 moves to 682 in whicha confirmation message for the debit operation is received. In theconfirmation message, there are additional MACs, which are used forverification and settlement by the POS SAM 628 and the POS transactionserver 613, respectively. Next at 684, the debit confirmation message isforwarded to the POS SAM 628 for verification. Once the MAC is verifiedand the purchase transaction is recorded in the POS SAM 628, therecorded transaction is displayed at 686 before the process 670 ends. Itis noted that the e-commerce transaction described may be carried outoffline or online with the POS transaction server 613. Also when thereis not enough balance in the e-token enabled device, a top-up or fundingoperation may be performed using the process 400 illustrated in FIG. 4Aand FIG. 4B.

FIG. 7 shows an exemplary configuration in which a portable device isused for an e-ticketing application. A portable device 730 is configuredto include an e-purse 724. When an owner or holder of the portabledevice 730 desires to purchase a ticket for a particular event (e.g., aconcert ticket, a ballgame ticket, etc.), the owner can use e-purse 724to purchase a ticket through an e-ticket service provider 720. Thee-ticket service provider 720 may contact a traditional box officereservation system 716 or an online ticketing application 710 for ticketreservation and purchase. Then e-token (e.g., e-money) is deducted fromthe e-purse 724 of the portable device 730 to pay the ticket purchase toa credit/debit system 714 (e.g., a financial institute, a bank). A SAM718 is connected to the e-ticket service provider 720 so that theauthentication of e-purse 724 in the portable device 730 can be assured.Upon a confirmation of the payment is received, the e-ticket isdelivered to the portable device 730 over the air (e.g., a cellularcommunications network) and stored onto a secured element 726electronically, for example, an e-ticket code or key or password. Lateron, when the owner of the portable device 730, the ticket holder,attends the particular event, the owner needs only to let a gatecheck-in reader 734 to read the stored e-ticket code or key in theportable device 730. In one embodiment, the gate check-in reader 734 isa contactless reader (e.g., an ISO 14443 complied proximity couplingdevice). The portable device 730 is a NFC capable mobile phone.

Referring now to FIG. 8A, it shows a diagram of multiple partiesinvolved in a TSM operated and orchestrated by a business according toone embodiment. A TSM operation team 802 includes an administrationresponsible for managing accounts for users that have personalized theirSEs via the TSM and other tasks. In one embodiment, the TSM operationteam 802 includes someone for managing the accounts and someone formanaging system resources, such as managing HSM, creating HSM indicesand GP keyset mapping. In addition, the team is responsible for offlineimporting default ISD info from one or more SE manufacturers. The teammay also include someone referred to as a certification engineerresponsible to collaborate with service providers and the SE issuers onapplication approval process. The TSM sales team 804, also referred toas business account manager, is responsible for sales and accountmanagement for the vendors of the TSM. Some of the team 804 may onlywork with the SE manufacturers, some may only work with SE Issuers whileother may work with more than one type of vendors. The TSM partnerservice team 806, also referred to as support engineers, is responsiblefor providing technical support to the vendors of the TSM, such as theSE issuers and the service providers. The TSM partner service team 806,does not deal directly with mobile users but helps partners analyzeaudit logs. The vendors 808 include one or more of the SE Issuers, theSE manufacturers, and the service providers. An SE issuer holds theresponsibilities for the issuance of SEs and owns the ISD of the SEs.Working with the TSM teams, it can install additional SSD for serviceproviders if needed. An SE manufacturer as the name suggests isresponsible for manufacturing the SEs and installing a default ISD inthe SEs. It also works with the TSM teams to provide these default ISDkey sets. The service provider is responsible for developing NFC mobileapplications. Exemplary applications from the service providers include,but may not be limited to, transit purses, bank's e-purses and creditcards. Smaller service providers may be those to provide applicationsused as room keys.

FIG. 8B shows relevant operations among the parties in the TSM accordingto one embodiment. The description of the operations is not to bedescribed in detail herein to avoid obscuring the important aspect ofthe embodiment of the present invention. FIG. 8C shows a work flow amongmultiple parties to establish mutually agreed arrangement in anexemplary TSM. An SE issuer or a service provider asks the TSM to houseits GP keyset. For the SE issuer. In one embodiment, this GP keyset ismost likely to be used as ISD. For the service provider, this keysetwill be used as SSD. The process of creating the keyset involvescreating the keys in the HSM and creates a mapping in TSM system asindicated in FIG. 8C. The effective range of the mapping will be set toa contract expiring date. In general, an HSM key index cannot be activefor more than one mapping at the same time.

When the keyset is about to expire, a renewal may be made. The renewalflow is similar to the creation process shown in FIG. 8C. According toone embodiment, the TSM will send a notification to the keyset ownerperiodically a few months before the keyset expires. The notificationstops once the keyset owner renews the contract. The keyset owner canstart the renewal process by creating a work request or item. Aresponsible TSM business account manager approves/rejects the work item.Upon receiving the approved work item, the TSM administration updatesthe keyset expiring date according to the renewal contract.

Similarly, the keyset can be expired earlier or terminated. Theterminate flow is similar to the creation process shown in FIG. 8C. Thekeyset owner can request to stop the keyset at a future date. Theresponsible TSM business account manager will verify and approve/rejectthe request immediately. The TSM administration sets the expiring dateof the mapping to the specified date. The HSM key indices can be reusedby the TSM for other vendors. An audit log is maintained to keep trackof the transactions.

FIG. 8D shows a data flow for an ISD mapping between an SE issuer andthe TSM. In general, the ISD mappings are managed by each SE Issuerdirectly. An SE Issuer can create a mapping to bind an external orinternal keyset to an ISD key index. External keysets are keysets notresiding in an HSM associated with a TSM while the internal keysets arethose residing in the HSM. Normally, the SE issuer should not need tospecify the default ISD as the default ISD comes from the SEmanufacturer. However, an SE Issuer has an option to overwrite thisdefault ISD if needed.

According to FIG. 8D, the SE Issuer creates an ISD mapping for a card OSto bind a keyset and an ISD key index (e.g., ranging from 1 to 127). Ifthe keyset is not external, the TSM will ensure that the keyset mappingwith its HSM exists. In operation, the SE issuer can directly modify ordelete the ISD mapping. As described above, an SE Manufacturer has thedefault ISD information for the SEs that it produces. The TSM providesboth batch and real-time approaches for the SE manufacturer to sharethis information. Depending on the agreement with TSM, the manufacturercan use either the batch or real-time approach, which has been describedabove.

For security reasons, a service provider (SP) may want to have its ownSSD for personalizing its applications. The SSD mapping is created by anSE issuer to bind a key index it assigns to the service provider to theSP keyset. FIG. 8E shows a corresponding data flow among a serverprovider, an SE issuer and the TSM. Similar to the SSD creation, aservice provider may request the SE issuer to delete a SSD mapping. Theworkflow is substantially similar to the SSD creation.

As described above, applications are provided by service providers tothe users. An application needs to be approved and published before itis available for mobile users to subscribe and download. For example, aservice provider needs to submit an application to SE issuer and TSM forapproval. In operation, a service provider needs to submit anapplication to the SE issuer and TSM for approval. FIG. 8F shows a dataflow for the approval of an application by an SE issuer. If a dedicatedSSD is needed, the service provider can request a SSD beforehand asdescribed in Section 6, or can indicate in the request. If a dedicatedSSD is needed, the service provider can request a SSD beforehand asabove or can indicate in the request. Before an approved application isavailable to general public yet, either the service provider or the SEissuer can initiate the publishing process. Both parties must agreebefore the application is published in the TSM for the users. Then thevendors are notified of the date and availability of the application.

In some cases, an SE needs to be replaced. The SE replacement couldhappen at a request of either a mobile user or its SE issuer. Mostly, itis to upgrade a SE for a bigger memory for more services. The followingthree points should be noted:

-   -   For those applications need to migrate their application states        from the old SE, the old SE need to be still accessible by the        applications (via TSM).    -   For those applications requiring no state migration, the TSM        needs simply just reinstall and personalize the applications.    -   However, if any applications that have states in the SE but do        not support state migration, the TSM is not able to migrate        their states. For these applications, they will be treated as        the second case (namely, the applications must be reinstalled        and personalized).

FIG. 8G shows a process of replacing an SE and involves the followingstages. An SE issuer informs a TSM about

-   -   SE issuer informs TSM about SE replacement request;    -   TSM collaborates with service providers to prepare APDU commands        for collecting states of applications on the old SE;    -   For each application, TSM executes the command(s) to retrieve        application states and lock the application;    -   TSM informs mobile user to physically change the new SE. Mobile        user may change his/her mind to rollback the replacement        request. No rollback is possible after this step;    -   TSM will update the default ISD if it has not been done; and    -   Collaborating with Service Providers, TSM will install and        personalize or provision each application. If needed, TSM will        install the SSD for service providers. The personalization data        will be prepared based on the static data in the service        provider and the dynamic application states.

Referring now to FIG. 9, it shows a snapshot of a screen display of anaccount for a personalized SE. As shown in the menu 902, the accountmaintains detailed information 904 about the SE that has beenpersonalized. In addition, the account includes a list of provisionedapplications as well as security keys. Other information such asapplication owners (who developed the applications), the responsiblecontact at the TSM, an SE log as well as an applications log may bemaintained.

The invention is preferably implemented by software, but can also beimplemented in hardware or a combination of hardware and software. Theinvention can also be embodied as computer readable code on a computerreadable medium. The computer readable medium is any data storage devicethat can store data which can thereafter be read by a computer system.Examples of the computer readable medium include read-only memory,random-access memory, CD-ROMs, DVDs, magnetic tape, optical data storagedevices, and carrier waves. The computer readable medium can also bedistributed over network-coupled computer systems so that the computerreadable code is stored and executed in a distributed fashion.

The present invention has been described in sufficient details with acertain degree of particularity. It is understood to those skilled inthe art that the present disclosure of embodiments has been made by wayof examples only and that numerous changes in the arrangement andcombination of parts may be resorted without departing from the spiritand scope of the invention as claimed. Accordingly, the scope of thepresent invention is defined by the appended claims rather than theforegoing description of embodiment.

We claim:
 1. A method for settling a payment, the method comprising:providing a software module to be executed in a first mobile deviceembedded with a secure element, wherein the secure element ispersonalized with operations of: causing device information of thesecure element to be sent to a server configured to identify whichissuer has issued the secure element based on an identifier in thedevice information, determining from the issuer whether the secureelement has been personalized, and personalizing the secure element whenthe secure element has not been personalized, and wherein the softwaremodule is provisioned with the personalized secure element, the firstmobile device is configured to include data pertaining to an electronicinvoice and transmits the electronic invoice to a second mobile deviceassociated with a user, the second mobile device includes an electronicpurse funded via a financial institution and embedded with an emulatorto process a monetary transaction, the electronic purse is supported byan applet running in the second mobile device, and the applet has beenprovisioned with operations including: establishing a first securedchannel between the applet and a security authentication module (SAM) ora payment server; and establishing a second secured channel so thatvarious data is exchanged between the applet and an existing SAMoriginally used to issue the applet as well as between the emulator andthe existing SAM; receiving a payment request from a second mobiledevice after the user views the electronic invoice displayed on thesecond mobile device and authorizes the payment to the electronicinvoice, wherein the second mobile device is a near-field communicationdevice and configured to execute an application that communicates withthe software module in the first mobile device to generate the paymentrequest; verifying the payment request; and sending a payment responseto a user of the first mobile device after the payment request isprocessed.
 2. The method as recited in claim 1, wherein the secondmobile device includes a display screen and is caused to display theelectronic invoice, and wherein the user of the second mobile device hasan option to modify an amount in the invoice when the payment request isgenerated.
 3. The method as recited in claim 2, wherein the data furtherincludes the identifier of the personalized secure element, and saidverifying the payment request comprises: verifying whether the user ofthe second mobile device maintains an account for settling theelectronic invoice and the identifier of the secure element has alreadybeen authenticated.
 4. The method as recited in claim 3, furthercomprising: exchanging encrypted messages with a financial institutionthat holds the account for the user of the second mobile device totransfer the amount to a designated account of the user of the firstmobile device; and generating the payment response once a confirmedmessage is received that the amount has been received in the designatedaccount.
 5. The method as recited in claim 1, wherein the first mobiledevice is a contactless card and part of a point of sale (POS) deviceused to generate invoices, the contactless card is loaded with theelectronic invoice, and the data further includes an identifier of thepersonalized secure element and an identifier of the user to facilitatea settlement to a charge in the electronic invoice by money transfer bya service in a trusted service management (TSM).
 6. The method asrecited in claim 1, further comprising: initiating a request from theapplet after valid personal identification numbers are entered andaccepted on the second mobile device; and transporting a response to apayment server configured to verify that the response is from anauthenticated applet, wherein the payment server further communicateswith a financial institution to authorize a transaction therewith. 7.The method as recited in claim 1, wherein the first mobile device is anNFC device used to generate the electronic invoice.
 8. A gatewayprovided for settling a payment, the gateway comprising: a portalproviding a software module to be downloaded and executed in a firstmobile device embedded with a secure element, wherein the secure elementis personalized with operations of: causing device information of thesecure element to be sent to a server configured to identify whichissuer has issued the secure element based on an identifier in thedevice information; determining from the issuer whether the secureelement has been personalized; and personalizing the secure element whenthe secure element has not been personalized, wherein the softwaremodule is provisioned with the personalized secure element, the firstmobile device is configured to include data pertaining to an electronicinvoice and transmit the electronic invoice to a second mobile deviceassociated with a user; a server comprising: a processor; a store,coupled to the processor, for code to be executed in the processor tocause the server to perform operations of: receiving a payment requestfrom a second mobile device after the user views the electronic invoicedisplayed on the second mobile device and authorizes the payment to theelectronic invoice, wherein the second mobile device is a near-fieldcommunication device and is configured to execute an application thatcommunicates with the software module in the first mobile device togenerate the payment request, and said receiving a payment requestcomprises operations of: sending a rejection to the second mobile devicewhen an amount provided by the user of the second mobile device to besettled is less than an amount being charged in the electronic invoice;or proceeding with a payment process when an amount provided by the userof the second mobile device to be settled is equal or more than anamount being charged in the electronic invoice; verifying the paymentrequest; and sending a payment response to a user of the first mobiledevice after the payment request is processed.
 9. The gateway as recitedin claim 8, wherein the second mobile device includes a display screen,and wherein the user of the second mobile device has an option to modifyan amount in the invoice when the payment request is generated.
 10. Thegateway as recited in claim 9, wherein the data further includes theidentifier of the personalized secure element, and said verifying thepayment request comprises: verifying whether the user of the secondmobile device maintains an account for settling the electronic invoiceand the identifier of the secure element has already been authenticated.11. The gateway as recited in claim 10, further comprising operationsof: exchanging encrypted messages with a financial institution thatholds the account for the user of the second mobile device to transferthe amount to a designated account of the user of the first mobiledevice; and generating the payment response once a confirmed message isreceived that the amount has been received in the designated account.12. The gateway as recited in claim 8, wherein the first mobile deviceis a contactless card and part of a point of sale (POS) device used togenerate invoices, the contactless card is loaded with the electronicinvoice, and the data further includes an identifier of the personalizedsecure element and an identifier of the user to facilitate a settlementto a charge in the electronic invoice by money transfer by a service ina trusted service management (TSM).
 13. The gateway as recited in claim8, wherein the second mobile device includes an electronic purse fundedvia a financial institution, the second mobile device is embedded withan emulator to process a monetary transaction.
 14. The gateway asrecited in claim 8, further comprising operations of: initiating arequest from the applet after valid personal identification numbers areentered and accepted on the second mobile device; and transporting aresponse to a payment server configured to verify that the response isfrom an authenticated applet, wherein the payment server furthercommunicates with a financial institution to authorize a transactiontherewith.
 15. The gateway as recited in claim 8, wherein the firstmobile device is an NFC device used to generate the electronic invoice.16. The method as recited in claim 1, wherein said receiving a paymentrequest comprises: sending a rejection to the second mobile device whenan amount provided by the user of the second mobile device to be settledis less than an amount being charged in the electronic invoice; orproceeding with a payment process when an amount provided by the user ofthe second mobile device to be settled is equal or more than an amountbeing charged in the electronic invoice.